Hack The Box Writeup: Suspicious Threat

Challenge Description

Our SSH server is showing strange library linking errors, and critical folders seem to be missing despite their confirmed existence. Investigate the anomalies in the library loading process and filesystem. Look for hidden manipulations that could indicate a userland rootkit.

Step-by-Step Solution

Step 1: Spotting the Suspicious Preloaded Library

We started by investigating the reported "library linking errors." Running a scan with rkhunter flagged a suspicious preloaded library:

Checking for preloaded libraries                         [ Warning ]

To investigate further, we checked the contents of /etc/ld.so.preload:

cat /etc/ld.so.preload

Output:

/lib/x86_64-linux-gnu/libc.hook.so.6

This file confirmed that libc.hook.so.6 was preloaded. This is highly unusual and suggested that the library was intercepting system calls—a behavior consistent with a rootkit.

Step 2: Investigating the Malicious Library

To understand the library’s purpose, we used strings to extract readable content:

strings /lib/x86_64-linux-gnu/libc.hook.so.6

Key Findings:

• Hooks like orig_readdir and orig_fopen indicated the library was intercepting directory and file access calls.

• A suspicious string, pr3l04d_, hinted at the library being designed to hide files or directories.

• References to hider.c further confirmed malicious intent.

We also checked the library's metadata to confirm its suspicious nature:

stat /lib/x86_64-linux-gnu/libc.hook.so.6

Step 3: Neutralizing the Library

To prevent the malicious library from being loaded, we temporarily disabled it by renaming the preload file:

mv /etc/ld.so.preload /etc/ld.so.preload.bak

We then restarted the SSH service to ensure no processes were still using the library:

systemctl restart sshd

Step 4: Searching for Rootkit Artifacts

Based on the suspicious pr3l04d_ string found in the library, we searched the filesystem for related files:

find / -name "*pr3l04d*" 2>/dev/null

Output:

/var/pr3l04d_

This revealed a hidden directory under /var/ named pr3l04d_.

Step 5: Analyzing the Rootkit Directory

We inspected the contents of /var/pr3l04d_:

ls -la /var/pr3l04d_

Inside, we found files that were clearly related to the rootkit. Using strings on these files revealed more evidence of malicious activity, including hooks to hide files and processes.

And… we found the flag hidden among these files!

Step 6: Cleaning Up

After securing the flag, we proceeded to clean up the system:

1. Backup the malicious directory:
   tar -czvf /root/pr3l04d_backup.tar.gz /var/pr3l04d_

2. Remove the directory:
   rm -rf /var/pr3l04d_

3. Rebuild the linker cache to finalize the removal:
   ldconfig

Step 7: Hardening the System

To prevent further compromise:

1. Changed passwords for all accounts.

2. Disabled root login over SSH:
   echo "PermitRootLogin no" >> /etc/ssh/sshd_config
   systemctl restart sshd

3. Scanned for any remaining rootkits:
   rkhunter --check
   chkrootkit

Key Takeaways

1. Rootkit Functionality:

   • The rootkit leveraged LD_PRELOAD to hook functions like readdir and fopen, enabling it to hide files and directories.

2. Artifacts Found:

   • A hidden directory, /var/pr3l04d_, contained the malicious files and the flag.

3. System Hardening:

   • By disabling the malicious library and removing the rootkit directory, we restored the system to a secure state.

Flag

The flag was discovered in /var/pr3l04d_ after neutralizing the rootkit.

This challenge demonstrated the importance of systematic investigation and the use of tools like strings and find in uncovering stealthy threats. Good luck on your future challenges!